Creating an effective HIPAA compliance and cybersecurity plan can be the key to your practice’s success.
Over the past year, I’ve written a series of articles exploring specific issues related to cybersecurity and HIPAA compliance. While understanding the rationale and theory behind many of these concepts is important, for many dental offices, their needs are more specific: What do you actually need to start doing right now?
Here is my 12-step plan for cybersecurity and HIPAA compliance.
1. Do a formal risk assessment and create a HIPAA management plan
The risk assessment should be comprehensive, exploring all aspects of the IT infrastructure, firewall, administrative, physical site survey, etc. A properly done risk assessment will allow you to create a plan of action. Keep in mind, it’s not enough to have a management plan in place - you have to actually handle the items on that list!
2. Set up two-factor authentication.
This process creates a second logon needed to access secure sites. For example, if you’re signing in to your online banking site, it would send a code to your cell phone that you must enter in order to gain access to the site. This ensures that you, and only you, have access to these sites. Every major secure website should offer this at no charge to you.
3. Ensure that you have an updated policies and procedures manual in place.
Whether it’s customized from a software vendor or something more generic like the one from the ADA, you should have a set of written policies in place. Keep in mind that many off-the-shelf manuals are really just templates, and there’s a lot of info you’ll need to fill in. You can’t just buy the manual and stick it on a shelf and forget about it.
4. Encrypt all the data at rest.
This means that any computer or device that contains electronic protected health information (ePHI) must be encrypted. The good news is that many operating systems have a free encryption software called Bitlocker built in. Have an IT professional assist you if you haven’t set this up before, and make sure you document it in your HIPAA manual.
5. Use an encrypted email system.
Regular email is inherently insecure and email breaches are very common. A good encrypted email system will protect both you and the recipient, and most will run you less than $10 per user per month.
6. Have a good backup and disaster recovery system.
As I’ve mentioned in previous articles, it should include both a local backup and online backup. And, to meet HIPAA regulations, it should be encrypted, and you must test and verify it on a regular basis.
7. Patch your software systems on a regular basis.
HIPAA requires that you do this, but doesn’t really define what “regular basis” means. I recommend doing it weekly; security holes are being discovered in most programs at least that often.
8. Invest in a good firewall.
It should have logs that you can provide to HIPAA auditors, and be customizable to limit outside access to your network.
9. Have anti-malware in place.
There are plenty of decent programs out there, stay away from the free ones that often aren’t very good. Make sure you have software that includes anti-spyware.
10. Install ransomware protection.
Most anti-virus software is only mildly effective against the viruses that lock your data and require you to pay a ransom to unlock it. HHS determined in 2016 that a ransomware infection qualifies as a breach, so you should have specific protection in place against these viruses.
11. Sign Business Associates Agreements.
You must have signed agreements with any and all people and companies who have access to your data. This includes, but is not limited to, the practice management software company, IT provider, data backup company, email provider, accountant, etc.
12. Train your staff on HIPAA.
There are plenty of online courses that can be completed in under an hour. Make sure that you document who has taken the course, and include that documentation with your HIPAA manual.
Dental practices should start the process now of instituting cybersecurity measures and work toward HIPAA compliance. While it can’t be done overnight, there’s no reason to delay this; you’ll never get all of this done in time if you are notified of an upcoming HIPAA audit!